MouseJacking

Stefan Benediktsson bio photo By Stefan Benediktsson

Mousejacking

Background

We often rely on false presemtions that we are secured behind encrypted devices. But how can we be sure?

Recently Bastille Networks (1) presented a vulnerability they are calling MouseJacking (2), making it possible to inject commands using wireless mouse and keyboard products.

The researchers took a USB dongle called Crazyradio PA (3) used to control a drone developed by the swedish company Bitcraze (4), and hacked the firmware to turn it into a wireless keyboard-and-mouse sniffer. They were able to reverse engineer the communication protocols used by wireless keyboard and mouse products that relies on 2.4GHz USB radio receivers.

Mousejacking only applies to mice and keyboards that relies on radio receivers on the 2.4GHz band. The vulnerability does not cover Bluetooth devices.

They found a number of flaws in the way devices handle the data tranfered between your keyboard or mouse and your computer.

Those findings include:

  • Mouse data is usually unencrypted and unauthenticated. This means that you can sniff out what the mouse is doing, and even inject fake mouse-moves and clicks.

  • Keyboard data is usually encrypted, but some receiver dongles will accept unencrypted data anyways. It is not possible to intercept what the user is typing, but you can inject fake keystrokes from a distance without the need to know the encryption key.

  • Some dongles accept keyboard data from a mouse. If the dongle requires encrypted keyboards but allows unencrypted mice, you can pretend to be a mouse but send unencrypted keystrokes without the need to know the encryption key.

  • Some dongles can be tricked into pairing with new devices without any action by the user. So if your dongle is plugged in, an rouge keyboard could secretly pair with it, get the dongle’s encryption key, and start injecting keystrokes.

You might think that you should be able to detect if your mouse is starting to do strange movements or that your keyboard is starting to type commands, and take action against it. But it would probably already be too late. A software controlled “keyboard” can type at a speed of around 150 characters/second which is much faster than the average human typist can do. And all it takes is a few well-planned keystrokes to download and install some malicious program.